in pf_syncookie_validate, return early if we don't have syncookies in
flight that can possibly match. there is a tiny but existing chance that
a sequence number matches w/ our hash and we'd end up dropping traffic.
unclear whether that has actually happened since the report chain is long :)
report via haesbert via bluhm; ok bluhm

Refactor the six ways to find TCP options into one new function. As a result:
- MSS and WSCALE option candidates must now meet their min type length.
- 'max-mss' is now more tolerant of malformed option lists.
These changes were immaterial to the live traffic I've examined.
OK sashan@ mpi@

make the watermarks/thresholds for entering and leaving syncookie mode when
syncookies are set to adaptive tunable, ok claudio benno

add DIOCGETSYNFLWATS to get current synflood detection watermarks,
ok claudio benno procter

provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler

unbreak strict alignment archs by using SIPHASH_KEY for siphash
keys, not uint8_t array.

found by sparc64.

probably ok henning@, but he's at coffee

syncookies implementation to be used in pf, based on the FreeBSD one by
Andre Oppermann, heavily adjusted for pf instead of stack use and with
entirely rewritten timeout machinery and new hashing
with bits from sashan, widely discussed with the other network hackers

Refactor the six ways to find TCP options into one new function. As a result:
- MSS and WSCALE option candidates must now meet their min type length.
- 'max-mss' is now more tolerant of malformed option lists.
These changes were immaterial to the live traffic I've examined.
OK sashan@ mpi@

make the watermarks/thresholds for entering and leaving syncookie mode when
syncookies are set to adaptive tunable, ok claudio benno

add DIOCGETSYNFLWATS to get current synflood detection watermarks,
ok claudio benno procter

provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler

unbreak strict alignment archs by using SIPHASH_KEY for siphash
keys, not uint8_t array.

found by sparc64.

probably ok henning@, but he's at coffee

syncookies implementation to be used in pf, based on the FreeBSD one by
Andre Oppermann, heavily adjusted for pf instead of stack use and with
entirely rewritten timeout machinery and new hashing
with bits from sashan, widely discussed with the other network hackers

make the watermarks/thresholds for entering and leaving syncookie mode when
syncookies are set to adaptive tunable, ok claudio benno

add DIOCGETSYNFLWATS to get current synflood detection watermarks,
ok claudio benno procter

provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler

unbreak strict alignment archs by using SIPHASH_KEY for siphash
keys, not uint8_t array.

found by sparc64.

probably ok henning@, but he's at coffee

syncookies implementation to be used in pf, based on the FreeBSD one by
Andre Oppermann, heavily adjusted for pf instead of stack use and with
entirely rewritten timeout machinery and new hashing
with bits from sashan, widely discussed with the other network hackers

provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler

unbreak strict alignment archs by using SIPHASH_KEY for siphash
keys, not uint8_t array.

found by sparc64.

probably ok henning@, but he's at coffee

syncookies implementation to be used in pf, based on the FreeBSD one by
Andre Oppermann, heavily adjusted for pf instead of stack use and with
entirely rewritten timeout machinery and new hashing
with bits from sashan, widely discussed with the other network hackers